PT-2022-6746 · Google+3 · Protobuf-Java+4
Published
2022-09-29
·
Updated
2026-05-18
·
CVE-2022-3509
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
protobuf-java core and lite versions prior to 3.21.7
protobuf-java core and lite versions prior to 3.20.3
protobuf-java core and lite versions prior to 3.19.6
protobuf-java core and lite versions prior to 3.16.3
Description
A parsing issue in protobuf-java core and lite can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields cause objects to be converted back-and-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. The issue is related to errors in resource release.
Recommendations
For versions prior to 3.21.7, update to version 3.21.7 or later.
For versions prior to 3.20.3, update to version 3.20.3 or later.
For versions prior to 3.19.6, update to version 3.19.6 or later.
For versions prior to 3.16.3, update to version 3.16.3 or later.
Fix
DoS
Improper Resource Release
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Astra Linux
Debian
Jira
Jira Service Management Server
Protobuf-Java